Signature location

Overview

A given XML message can contain several XML signatures. Consider an XML document (for example, a company policy approval form) that must be digitally signed by a number of users (for example, department managers) before being submitted to the destination web service (for example, a company policy approval web service). Such a message contains several XML signatures by the time it is ready to be submitted to the web service.

In such cases, where multiple signatures are present within a given XML message, it is necessary to specify which signature the API Gateway should use in the validation process. You can specify the location of the signature in the XML message in the XML Signature Verification filter. For more information on validating XML signatures, see XML signature verification in the API Gateway Policy Developer Filter Reference.

Signature location options

The API Gateway can extract the signature from an XML message using several different methods:

WS-Security block

SOAP message header

Advanced (XPath)

Select the most appropriate method from the Signature Location
field. Your selection depends on the types of SOAP messages that you expect to receive. For example, if incoming SOAP messages contain an XML signature within a WS-Security block, you should choose this option from the list.

Use WS-Security actors

If the signature is present in a WS-Security block:

Select WS-Security block
from the Signature Location
field.

Select a SOAP actor from the Select Actor/Role(s)
field. Each actor uniquely identifies a separate WS-Security block. By selecting Current actor/role only
from the list, the WS-Security block with no actor is taken.

In cases where there might be multiple signatures within the WS-Security block, it is necessary to extract one using the Signature Position
field.

The following is a skeleton version of a message where the XML signature is contained in the sample
WS-Security block, (soap-env:actor="sample"):

Use SOAP header

If the signature is present in the SOAP header:

Select SOAP message header
from the Signature Location
field.

If there is more than one signature in the SOAP header, then it is necessary to specify which signature the API Gateway should use. Specify the appropriate signature by setting the Signature Position
field.

The following is an example of an XML message where the XML signature is contained within the SOAP header:

Because the elements referenced in the expression (Envelope
and Signature) are prefixed
elements, you must define the namespace mappings for each of these elements as follows:

Prefix

URI

s

http://schemas.xmlsoap.org/soap/envelope/

dsig

http://www.w3.org/2000/09/xmldsig#

When adding your own XPath expressions, you must be careful to define any namespace mappings in a manner similar to that outlined above. This avoids any potential clashes that might occur where elements of the same name, but belonging to different namespaces, are present in an XML message.